Can Your iPhone Bring Down a Plant?

Control engineers at plants wage a continual battle to protect their systems from intrusion. In the past, plant systems were in silos, separated from the outside world. Now, the plant network is connected to the company's ERP system. The network also reaches out to customers and suppliers. These extended networks deliver considerable efficiency, but they also make the plant vulnerable to direct attack, or more likely, inadvertent attack from malware.

Mobile Device Intrusion

One major change in recent years is the entry of the smartphone into the plant. "Employees are bringing their own devices. IT departments are relaxing their death grip on the network and they're allowing smartphones onto the floor," applications engineer Ben Orchard of Opto 22 told Design News. "It's because IT has had time to implement its security systems."

Yet security from mobile devices is a moving target. BlackBerry had a BlackBerry server. "When the BlackBerry came into the plant, the network was connected to the BlackBerry server," Orchard told us. "The Plant ran Windows and we could administer security. All you could do on the BlackBerry was corporate email. Then the iPhone stormed the mobile workplace and it was the Internet in your pocket."

A layout of the new networked plant.

IT balked at devices that connected out to the world. "IT said, 'No, we don't want to invite the Internet into the plant network,' but people started to bitterly complain that they can use the iPhone outside the building but not inside. They wanted to do what they wanted to do on their device," said Orchard. To complicate matters, applications that were industrial-specific for iPhones and Androids began to show up, and plant employees wanted to use these applications. "They asked, 'Why can't we do it?' and IT replied, 'We haven't had time to set up the security,' " Orchard noted. "Industrial automation moves slowly. Mobile has been thrust on it."

The war between IT and control

There has long been tension between plant control and corporate IT when it comes to security. The two disciplines have opposing points of view. Its mantra is protection comes first. Control insists that uptime and throughput come first. "The war with IT will never settle down. IT is an organization with a set of tools to protect their network. Their job is to protect data," Lee Neitzel, senior technologist at Emerson Process Management told Design News. "All of their tools are around protecting data. IT says we're going to install this in two hours and it will require a reboot and control has no choice in the matter."

Seriously, the three-level approach is the way to go, but many IT groups are not staffed for that. I also feel that many IT groups simply refused to consider dealing with BYOD, and so were caught flat-footed when they got run over by the 21st century.

Many corporations that allow employees to use their own mobile devices at work implement a BYOD security policy. BYOD security can be addressed by having IT provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network.

IT may require devices to be configured with passwords, prohibit specific types of applications from being installed on the device or require all data on the device to be encrypted. Other BYOD security policy initiatives may include limiting activities that employees are allowed to perform on these devices at work like email usage is limited to corporate email accounts only.

Most of the smartphones users connect to public Wi-Fi. If users connect their phones, containing company information, to an unsecured Wi-Fi network then a real security issue is created. If the same smartphone is connected back to the corporate network over a public Wi-Fi network, it could put the entire company network at risk. Users should be required to connect to the company network via an SSL VPN, so that the data traveling between the phone and the company network will be encrypted in transit and can't be read if it's intercepted.

Some smart phones OS bypass security mechanisms for user's convinenece. This makes it a lot easier and less frustrating for smart phones to connect to any plant's devices, but it also defeats the purpose of those security measures.

Web browsers on smartphones have gotten a lot better, but the web is a major source of malicious code. With a small screen of smartphones, it's more difficult for users to detect that a site is a phishing site. The malware can then be transferred onto the network from the phone.

What a great article. This really points out the serious security threats posed by the plant's connection to the ERP system. Recently, we've heard a lot about theft of corporate intellectual property in big companies. But stuffing documents in a brief case will soon be passe. This is much scarier.

Good point, TJ. But I do remember that when I asked what was the greatest threat to plant security systems, time after time, I heard, "A disgruntled former employee. One threat I heard less frequently -- but seems to me a bigger threat -- is the inadvertent attack from a malware bug that enters the system when an employee loads some music onto a workstation.

Rob, proper security would end her access upon her termination of employment. But that problem isn't limited to remote access. A disgruntled IT employee can cause far more damage from within than without. That is a completely different problem.

If a major catastrophe strikes your area, will you be prepared? Do you know how to modify the tech you've already got or MacGyver what you need to fit your own situation? A free, five-day Continuing Education Center course starting April 6 will show you how.

Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.